Installing Nikto on Windows
Nikto is a fast, extensible, free open source web scanner written in Perl. Nikto is great for running automated scans of web servers and application. Unlike passive tools like Paros or WebScarab, Nikto is active and automated, so there's no need to set up a proxy and navigate a site by hand. Because Nikto relies on OpenSSL it is most easily installed and run on a Linux platform. However, there are times when you might not have easy access to a Linux platform but still want to have the ability to run Nikto. The following tutorial will show you the many convoluted steps needed to install Nikto on Windows XP. I tested this process on Windows XP Professional, service pack 3, but it will probably work on other configurations.
The first step to getting Nikto to run is to install Perl. Fortunately for Windows users, ActiveState releases Active Perl, which is free. Download Active Perl from their site at ActiveState.com. Once you have downloaded Perl, install it in an easy to access location, such as C:\Perl. Next update your PATH environmental variable so that C:\Perl\bin is in your PATH. To do this right click on your 'My Computer' icon, select 'Properties', click the 'Advanced' tab, and click the 'Environmental Variables' button at the bottom. This will open a new window. In the bottom half of this window, in the 'System variables' frame you should see an item called 'Path'. Click 'Path' and then the 'Edit' button. Path variables are separated by a semi-colon, so scroll to the end of the 'Variable value' text box and add ";C:\Perl\bin;" to add Perl to your PATH environmental variable. Now click 'OK' on on the open boxes to close things up again. (See the related article on MadIrish.net for further details)
Once you have Perl installed you're going to need to begin the arduous task of getting OpenSSL built and installed. The first thing you'll need is the 7zip utility from 7-zip.org. You're going to need this because several of the files are distributed as zipped tar files (.tar.gz or .tgz extensions). 7zip allows you to unzip and untar these files.
Next you need Microsoft Visual C++ Redistributable from Microsoft.com. Be sure to get the version from this link, as it is known to work with this process. Once the download is complete, install the program.
You're also going to need the Windows equivalant of the Unix 'make' utility, called 'nmake'. Download Nmake15.exe from Microsoft's site at Microsoft.com. You should rename this to 'nmake.exe' and put it's location in your Path environmental variable. I created a folder called C:\bin and then put all such files in there. I've added C:\bin to my Path environmental variable. You can test to see if this is configured correctly by opening a command prompt (Start->Run->Command) and typing 'nmake' to see if you get any output. If you get an error that says "'nmake' is not recognized as an internal or external command, operable program or batch file" then it isn't installed or the environmental variable isn't set up properly. Note that when you change an environmental variable you have to open a new command prompt for changes to take effect.
Now you have to install a C compiler. The best one to use for this job is MinGW because it includes a g++ compiler. Download MinGW from MinGW.org and install it. Be sure to select g++ in addition to the default components when installing MinGW. Once installed add the path to gcc.exe to your Path environmental variables, it's usually located in C:\MinGW\bin. Once you've done this test to ensure that MinGW is installed properly. Type the following command at a command prompt to view the version information:
C:\>gcc -v
Now that you've got all the tools you need to build OpenSSL go ahead and download OpenSSL from SLProWeb.com. Run the installer and install OpenSSL into C:\OpenSSL. Add the following to your Path environmental variables:
C:\OpenSSL C:\OpenSSL\bin C:\OpenSSL\lib C:\OpenSSL\include C:\OpenSSL\include\openssl
Once installed double click on the program C:\OpenSSL\bin\openssl.exe. If you get an error then something has gone wrong. If there is no error a command prompt should open with the "SSL>" prompt at the front of the line.
Now that OpenSSL is installed we can install Net_SSLeay.pm, the Perl SSL module. You can download this module from CPAN.org. The download link is on the right and should be something like Net_SSLeay.pm-1.25.tar.gz. Download this file and extract it by right clicking on it, selecting 7zip, then the 'Extract here' option. I put the final extracted Net_SSLeay.pm-1.25 folder in my C:\Temp folder just because there were problems when it was in a path with a space (such as "C:\Documents and Settings"). Once you've extracted the file it's time to build the Net_SSLeay module. To do this type the following:
C:\Temp\Net_SSLeay.pm-1.25> perl Makefile.PL -windows C:/OpenSSL
You'll notice the slash in the file path to OpenSSL is backwards. Perl interprets command paths with Unix style forward slash separations. If you use a backslash the command won't execute properly. Once the Makefile is written it's time to build the module. Use this command to build it:
C:\Temp\Net_SSLeay.pm-1.25> nmake
Once that completes, install the module using:
C:\Temp\Net_SSLeay.pm-1.25> nmake install
You may get some errors reported at the end of the output. If this is the case the installation might not have gone completely smoothly. Check in the C:\Temp\Net_SSLeay.pm-1.25 directory and see if a SSLeay.pm file exists. If it does simply copy it into your Perl directory (C:\Perl\lib\Net\) and you should be fine.
Once OpenSSL and SSLeay are installed you can use Nikto. Download Nikto from http://www.cirt.net/nikto2 into it's own folder (I chose C:\Program Files\Nikto2). Nikto is a series of Perl scripts so there's no need to run an installer. Once Nikto is downloaded and extracted open a command prompt and navigate to the Nikto folder. You can run Nikto using:
C:\Program Files\Nikto2> perl nikto.pl -h 192.168.0.1
Where 192.168.0.1 is the target of your testing. Make sure you target a website you control or have permission to test. Others might not take so kindly to your testing their sites without permission.
Form more information about how to actually use Nikto see their documentation at http://cirt.net/nikto2-docs/.